FAQ: CGI User Permissions

When I run Sawmill as a CGI, it runs as a special user (nobody, web, apache, etc.). Then when I want to use Sawmill from the command line or in web server mode, the permissions don't allow it. What can I do about this?

Short Answer

Loosen the permissions in the Preferences, or run your CGI programs as a different user, or run your command line programs as the CGI user.

Long Answer

For security reasons, UNIX web servers often run CGI programs as a special
user, often user nobody, or user web, or user cgi, or user apache.
When you run Sawmill in CGI mode, it runs as this user, and any files it creates
are owned by that user. This can cause problems if you later need to
run Sawmill as a different user, for instance to run a command-line database update--
the files which were created as the CGI user will not be accessible to the
non-CGI user, and you will get errors about Sawmill not being able to read or write
certain files.

There are several possible solutions to this problem:

You can run your command lines as the CGI user. This is often the easiest
solution. Of your CGI user is user nobody, then use "su nobody" to change
to user nobody, and then run your commands as that user. Since both the CGI
version and the command-line version will be running as the same user, there
will be no permissions issues. You may need to configure a password, shell, and home directory
for user nobody before you can log in as that user, which will require root access.
This option is slightly insecure because giving user "nobody" a home directory and
a shell makes it a slightly more powerful user; if the purpose of using "nobody"
as the CGI user was to run CGI programs with a powerless user, this circumvents that security
somewhat.

You can run your CGI program as the command-line user. If your username
is "myself", then you can reconfigure your web server to run CGI programs
as that user, rather than the user it's using now. You may even be able to configure
the server to run only Sawmill as that user, while continuing to run other programs
with the usual CGI user. Because both the CGI version of Sawmill and the command line
version will be running as user "myself", there will be no permissions issues.
This may be difficult to configure, however; see your web server documentation for
instructions on how to configure your server to run CGI programs as a different user.
On some servers, this may not be possible.

You can change the permissions of the files that Sawmill creates,
by editing the permissions options in the Preferences. This is
usually an insecure solution, however, since you'll need to loosen
many of the permissions to 777 (everyone can read, write, execute/search),
which makes your files vulnerable to modification by unauthorized users on
the machine. This option may be acceptable, however, if access to the machine
is limited to authorized users; i.e. if the only ones who can log in by telnet,
SSH, FTP, etc. are those who are trusted Sawmill administrators.

Any one of these solutions will work; you do not need to do more than one of these.